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Abstract 

We present a simple deterministic gap-preserving reduction from SAT to the Mini- 
mum Distance of Code Problem over F2 . We also show how to extend the reduction to 
work over any finite field. Previously a randomized reduction was known due to Dumer, 
Micciancio, and Sudan [S], which was recently derandomized by Cheng and Wan [HJ, [7] . 
These reductions rely on highly non-trivial coding theoretic constructions whereas our 
reduction is elementary. 

As an additional feature, our reduction gives a constant factor hardness even for 
asymptotically good codes, i.e., having constant rate and relative distance. Previously 
it was not known how to achieve deterministic reductions for such codes. 
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1 Introduction 



The Minimum Distance of Code Problem over a finite field ¥ q , denoted MiN Dist((7), asks 
for a non-zero codeword with minimum Hamming weight in a given linear code C (i.e., a 
linear subspace of F"). The problem was proved to be NP-hard by Vardy [15] . 

Dumer, Micciancio, and Sudan [8] proved that assuming RP ^ NP the problem is hard 
to approximate within some factor 7 > 1 using a gap preserving reduction from the Nearest 
Codeword Problem, denoted NCP(g) (which is known to be NP-hard even with a large 
gap). The latter problem asks, given a code C C ¥ q n and a point p £ ¥ q n , for a codeword 
that is nearest to p in Hamming distance. However, Dumer et al.'s reduction is randomized: 
it maps an instance (C,p) of NCP(q) to an instance C of MiN Dist((7) in a randomized 
manner such that: in the YES Case, with high probability, the code C has a non-zero 
codeword with weight at most d, and in the NO Case, C has no non-zero codeword of 
weight less that 7<i, for some fixed constant 7 > 1. We note that the minimum distance 
of code is multiplicative under the tensor product of codes; this enables one to boost the 
inapproximability result to any constant factor, or even to an almost polynomial factor 
(under a quasipolynomial time reduction), see [8]. 

The randomness in Dumer et al.'s reduction is used for constructing, as a gadget, a non- 
trivial coding theoretic construction with certain properties (see Section [1.11 for details). In 
a remarkable pair of papers, Cheng and Wan (BJ [7] recently constructed such a gadget de- 
terministically, thereby giving a deterministic reduction to the Gap Min Dist((7) Problem. 
Cheng and Wan's construction is quite sophisticated. It is an interesting pursuit, in our 
opinion, to seek an elementary deterministic reduction for the Gap Min Dist(q) Problem. 

In this paper, we indeed present such a reduction. For codes over F2, our reduction 
is (surprisingly) simple, and does not rely on any specialized gadget construction. The 
reduction can be extended to codes over any finite field ¥ q ; however, then the details of 
the reduction becomes more involved, and we need to use Viola's recent construction of a 
psedorandom generator for low degree polynomials [16]. Even in this case, the resulting 
reduction is conceptuelly quite simple. 

We also observe that our reduction produces asymptotically good codes, i.e., having 
constant rate and relative distance. While Dumer et al. [8] are able to prove randomized 
hardness for such codes, this was not obtained by the deterministic reduction by Cheng and 
Wan. In [7J, proving a constant factor hardness of approximation for asymptotically good 
codes is mentioned as an open problem. 

Our main theorem is thus: 

Theorem 1.1. For any finite field ¥ q , there exists a constant 7 > such that it is NP-hard 
(via a deterministic reduction) to approximate the Min Dist(q) problem to within a factor 
1 + 7, even on codes with rate > 7 and relative distance > 7 (i.e., asymptotically good 
codes). 

As noted before, the hardness factor can be boosted via tensor product of codes (though 
after a superconstant amount of tensoring the code is no longer asymptotically good): 

Theorem 1.2. For any finite field ¥ q , and constant e > 0, it is hard to approximate the 
Min DiST(g) problem to within a factor 2^ n ^~' unless NP C DTIME{2 {1 °^° (1) ). 



2 



Another motivation to seek a new deterministic reduction for Min DiST(g) is that it 
might lead to a deterministic reduction for the analogous problem for integer lattices, namely 
the Shortest Vector Problem (SVP). For SVP, we do not know of a deterministic reduction 
that proves even the basic NP-hardness, let alone a hardness of approximation result. All 
known reductions are randomized [TJ [T^l fTTj \12\ I10j . In fact, the reduction of Dumer et 
al. [8] giving hardness of approximation for MlN DiST(g) assuming NP 7^ RP is inspired by 
a reduction by Micciancio [T3] for SVP. 

Our hope is that our new reduction for Min DiST(g) can be used to shed new light 
on the hardness of SVP. For instance, it might be possible to combine our reductions for 
MlN Dist((/) for different primes q so as to give a reduction over integers, i.e., a reduction 
to SVP. 

1.1 Previous Reductions 

On a high level, the idea of the reduction of Dumer et al. [8] is the following. We start 
from the hardness of approximation for NCP. Given an instance (C,p), let us look at the 
code C = span(C U {p})- Then any codeword of C which uses the point p must have large 
distance. However, it can be that the code C itself has very small distance so that the 
minimum distance of C is unrelated to the distance from p to C . Loosely speaking, the 
idea is then to combine C with an additional code C such that any codeword which does 
not use p must have a large weight in C . 

Let us briefly describe the gadget of [8] . They use a coding theoretic construction with 
the following properties (slightly restated). Let \ < p < 1 be a fixed constant and k be a 
growing integer parameter. The field size q is thought of as a fixed constant. 

1. C* C is a linear code with distance d, where I is polynomial in k (think of I = fc 100 ). 

2. There is a "center" v € F^ such that the ball of radius r around v, denoted B(v,r), 
contains q k codewords and r = [pd\. In notation, \B(v,r) n C*| > q k . 

3. There is a linear map T : F^ 1— F*' such that the image of B(v, r) n C* under T is the 
full space Fq. Here k' is polynomial in k (think of k' = A; 01 ). 

Dumer et al. achieve such a construction in a randomized manner. They let C* be 
a suitable concatenation of Reed-Solomon codes with the Hadamard code so that even a 
typical ball of radius r contains many (i.e., q k ) codewords. Hence choosing the center v 
at random satisfies the second property. They show further that a random linear map T 
satisfies the third property. By giving a deterministic construction of such a gadget, Cheng 
and Wan [6J [7] recently derandomized the reduction of [8] . 

1.2 Organization 

We present a proof of this theorem for the binary field in Section [3] and for a general finite 
field in Section [5l Even for the binary case, it is instructive to first see a reduction to 
NCP (2) in Section [3J] which is then extended to the MlN Dist(2) problem in Section 1331 
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2 Preliminaries 



2.1 Codes 

Let q be a prime power. 

Definition 2.1. A linear code C over a field F g is a linear subspace of F™, where n is the 
block-length of the code and dimension of the subspace C is the dimension of the code. The 
distance of the code d(C) is the minimum Hamming weight of any non-zero vector in C. 

The two problems Min DiST(g) and NCP(g) are defined as follows. 

Definition 2.2. Min DiST(q) is the problem of determining the distance d{C) of a linear 
code CCFJ. The code may be given by the basis vectors for the subspace C or by the 
linear forms defining the subspace. 

Definition 2.3. NCP(g) is the problem of determining the minimum distance from a given 
point p G F™ to any codeword in a given code CCFJ. Equivalently, it is the problem of 
determining the minimum Hamming weight of any point z in a given affine subspace of F™ 
(which would be C — p). 

Our reduction uses tensor products of codes, which are defined as follows. 

2 

Definition 2.4. Let Ci,C2 C F™ be linear codes. Then the linear code C\ ® C2 C F™ is 
defined as the set of all n x n matrices over ¥ q such that each of its columns is a codeword 
in C\ and each of its rows is a codeword in C2. 

A well-known fact is that the distance of a code is multiplicative under the tensor 
product of codes. 

2 

Fact 2.5. Let Ci, C2 ^ F™ be linear codes. Then the linear code C\®C<2 C FJ has distance 
d{C l ®C 2 ) = d(C 1 )d(C 2 ). 

We shall need the following Lemma which shows that for many codewords of C (8> C one 
can obtain a stronger bound on the distance than the bound d(C) 2 given by Fact 12.51 

Lemma 2.6. Let C CFJ be a linear code of distance d = d{C), and let Y € C <g> C be a 
non-zero codeword with the additional properties that 

1. The diagonal ofY is zero. 

2. Y is symmetric. 

Then Y has at least d 2 (l + 1/q) non-zero entries. 

Proof. Suppose Yu = Yu 7^ 0. Since we have Ya = it must hold that i ^ j and that rows i 
and j are linearly independent codewords of C. By Fact l2.7l below it follows that the number 
of columns k such that at least one of Yik and Yjk is non-zero is at least d(l + 1/q). Each 
of these columns then has at least d non-zero entries and hence Y has at least d 2 {l + 1/q) 
non-zero entries. □ 



4 



Fact 2.7. Let C C F™ be a linear code of distance d = d(C). Then for any two linearly 
independent codewords x, y £ F™ , the number of coordinates i € [n] for which either x% 7^ 
or i/i 7^ is at least d(l + 1/g). 

Proof. Let m be the number of coordinates such that ^ / or yi 7^ but not both, and 
let m' be the number of coordinates such that both X{ 7^ and yi 7^ 0. Clearly, 

m + 2m! > 2cL 

We can choose A 7^ appropriately so that the vector x — Xy has at most m+m' — m' / {q — 1) 
non-zero entries. This implies 

m + m' — m// (g — 1) > d. 

Multiplying the first inequality by 1/q, the second by (q—l)/q, and adding up gives m+m' > 
d(l + 1/q) as desired. □ 

2.2 Hardness of Constraint Satisfaction 

The starting point in our reduction is a constraint satisfaction problem that we refer to as 
the Max NAND problem, defined as follows. 

Definition 2.8. An instance \t of the Max NAND problem consists of a set of quadratic 
equations over F2, each of the form x^ = NAND (xj , Xj ) = 1 + Xi ■ Xj for some variables 
Xi,Xj,Xk- The objective is to find an assignment to the variables such that as many equations 
as possible are satisfied. We denote by Opt( x I') € [0, 1] the maximum fraction of satisfied 
equations over all possible assignments to the variables. 

The following is an easy consequence of the PCP Theorem [3 O [2] and the fact that 
NAND gates form a basis for the space of boolean functions. 

Theorem 2.9. There is a universal constant 5 > such that given a Max NAND instance 
^ it is NP-hard to determine whether Opt(^) = 1 or Opt(^) < 1 — S. 

3 The Binary Case 

In this section we give a simple reduction from Max NAND showing that it is NP-hard to 
approximate Min Dist(2) to within some constant factor. 

3.1 Reduction to Nearest Codeword 

It is instructive to start with a reduction for the Nearest Codeword Problem, NCP(2), for 
which it is significantly easier to prove hardness. There are even simpler reductions known 
than the one we give here, but as we shall see in the next section this reduction can be 
modified to give hardness for the Min Dist(2) problem. 

Given a Max NAND instance ^ with n variables and m constraints, we shall construct 
an affine subspace S of F^™ such that: 
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(i) If is satisfiable then S has a vector of Hamming weight at most m. 

(ii) If Opt(^) < 1 — 25 then S has no vector of Hamming weight less than (1 + 25)m. 

This proves, according to Definition 12.31 that NCP(2) is NP-hard to approximate within a 
factor 1 + 25. 

Every constraint x k = 1 + 

X^ X j in ^ gives rise to four new variables, as follows. We 
think of the four variables as a function S{j k : F| — > F 2 . The intent is that this function 
should be the indicator function of the values of X{ and Xj, in other words, that 



With this interpretation in mind, each function S{j k has to satisfy the following linear 
constraints over F2: 



Thus, we have a set of n + 4m variables z±, . . . , z n +4 m (recall that n and m are the number of 
variables and constraints of respectively) and 4m linear constraints of the form ^ hjZj = 
h where k G F" +4m and b { G F 2 . 

Let S C F2" 1 be the affine subspace of F| m defined by the set of solutions to the system 
of equations, projected to the 4m coordinates corresponding to the Sij k variables. Note that 
these coordinates uniquely determine the remaining n coordinates (assuming without loss 
of generality that every variable of appears in some constraint), according to Equations 



Now, if ^ is satisfiable, then using the satisfying assignment for x and the intended 
values for the Sij k s we obtain an element of S with m non-zero entries. Note that for 
each constraint involving variables Xi,Xj,x k , exactly one of the four variables Sij k (-,-) is 
non-zero. 

On the other hand, note that if the function Sijk(-, ■) has exactly one non-zero entry it 
must be that the induced values of (xi,Xj,Xk) satisfy the constraint Xk = 1 + x^ ■ Xj (which 
one can see either by trying all such Sijj- or noting that each of the four different satisfying 
assignments to (xi,Xj,Xk) gives a unique such S^). Since every S^-fc is constrained to have 
an odd number of non-zero entries by Equation (p}, it means that whenever Sijk induces 
values of (xi,Xj,X}S) that do not satisfy x^ = 1 + X{ ■ Xj, it must hold that S^k has three 
non-zero entries. Therefore, we see that if Opt(^) < 1 — 5, it must hold that every element 
of S has at least (1 + 25)m non-zero entries. 

To summarize, we obtain that it is NP-hard to approximate the minimum weight element 
of an affine subspace (or equivalently, the Nearest Codeword Problem) to within a constant 
factor 1 + 25. 




S ijk (0, 0) + S ijk {0, 1) + S ijk {l, 0) + S ijk {l, 1) 

Sij k {l, 0) + Sijk{l, 1) 

Sijk{®, 1) + Sijk{l, 1) 

S ijk (0,0) + S ljk (0,l) + s ljk (i,o) 



1 



(1) 

(2) 
(3) 
(4) 



(ED-®- 



6 



3.2 Reduction to Minimum Distance 

To get the hardness result for the Min Dist problem, we would like to alter the reduction 
in the previous section so that it produces a linear subspace rather than an affine one. The 
only non-homogenous part of the subspace produced are the equations ([T]) constraining each 
Sijk to have an odd number of entries. To produce a linear subspace, we are going to replace 
the constant 1 with a variable xq, which is intended to take the value 1. In other words, we 
replace Equation (JTJ) with the following equation: 

S ijk (0, 0) + S ijk {0, 1) + S ijk (l, 0) + S ijk {l, 1) = x (V) 

However, in order to make this work we need to ensure that every assignment where xq is 
set to has large weight, and this requires adding some more components to the reduction. 

A first observation is that the system of constraints relating S{j k to (xo,Xi,Xj,x k ) is 
invertible. Namely, we have Equations ([Pll -P^. and inversely, that 

Sijk(0, 0) = Xi + Xj + x k S ijk (0, 1) = x + xj + x k 

Sij k (l, 0) = X + Xi + X k S ijk (l, 1) = X + X k . 

Second, if xq = but at least one of (xi,Xj,x k ) is non-zero, it must hold that Sij k has at 
least two non-zero entries. Thus, if it happens that for a large fraction (more than 1/2) of 
constraints at least one of (xi,xj,x k ) is non-zero, it must be the case that the total weight 
of the Sij k s is larger than m. But of course, we have no way to guarantee such a condition 
on (xi,Xj,x k ). 

However, we can construct what morally amounts to a separate dummy instance of 
Max NAND that has this property, and then let it use the same xq variable as Towards 
this end, let C C be a linear code of relative distance 1/2 — e. Here e > will be chosen 
sufficiently small and for reasons that will become clear momentarily, the dimension of the 
code will be exactly n so that one can take N = 0(n). 

Now we introduce N + N 2 new variables which we think of as a vector y G F^ and 
matrix Y G F^ xAr . The vector y should be an element of C and the matrix Y should be 
an element of C <8> C. The intention is that Y = y ■ y T , or in other words, that for every 
i,j G [N] we have = yi ■ yj. 

Analogously to the Sij k functions intended to check the NAND constraints of we 
now introduce for every i,j G [N] a function Zij : F2 — > F2 that is intended to check the 
constraint Yij = yi ■ yj, and that is supposed to be the indicator of the assignment to the 
variables (jji,yj). We then impose the analogues of the constraints (HZ])-©, viz. 



Zy(0,0) + 2y(0,l) + 2y(l,0) + 2y(l,l) = X (5) 

%(1,0)+%(1,1) = y % (6) 

Zy(0,l) + 2y(l,l) = Vj (7) 

%(1,1) = Yij. (8) 



Figure [T] gives an overview of the different components of the reduction and their relations 
(including some relations that we have not yet described, though we shall do so momentar- 

iiy). 
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Figure 1: The different components of the reduction to Min Dist(2). An 
arrow from one component to another indicates that the second component is 
a linear function of the first, with the label indicating the nature of this linear 
function. 



The final subspace S will consist of the projection to the 4m different S^k variables and 
the AN 2 different Zij variables, but with each of the S^k variables repeated some r ~ N 2 /m 
number of times in order to make these two sets of variables of comparable size. 

Note that by Equations CO)-® and ©-([Hj) these variables uniquely determine xq, x, y 
and Y. Furthermore, because of the invertibility of these constraints, we have that if some 
S^k or Zij is non-zero it must hold that one of xq, x, y and Y are non-zero. 

As in the previous section, when xq is non-zero, each S^f. and Zy must have at least 
one non-zero entry and all the 5 fraction of the Safe's corresponding to unsatisfied NAND 
constraints of must have at least three non-zero entries, giving a total weight of 

(1 + 25)rm + N 2 . 

Now consider the case that xq is zero. Let us first look at the subcase that y is non-zero. 
Since y G C is a non-zero codeword, at least (1/2 — e)N of its coordinates are non-zero. 
Thus, for at least (3/4 — 2e)N 2 pairs (yi,yj) 7^ (0,0). For each such pair, the corresponding 
Zij function is non-zero, and as argued earlier, has at least two non-zero entries, which 
means that the total weight of the Z^s is at least 

2 • (3/4 - 2e) • N 2 = Q - 4e^) • iV 2 . 

The next subcase is that xq and y are zero but either x or Y is non-zero. We first enforce 
that x = 0. Recall that C has dimension exactly n, and hence there is a one-to-one linear 
map C : 1— > F^. We may therefore add the additional constraints that y = C(x) is the 
encoding of x. Then, x is non-zero if and only if y is. 

The only possibility that remains is that xq, x and y are all zero, but that the matrix Y is 
non-zero. In this case, it is easily verified from Equations ©-([8]) that for each i, j G [N] such 
that Yij is non-zero, it must be that Z^ has four non-zero entries. However, the distance 
of the code C ® C to which Y belongs is only (1/2 — e) 2 < 1/4, so it seems as though we 
just came short of obtaining a large distance. However, there are two additional constraints 
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that we can impose on Y: first, if Y = y • y T we have that the diagonal entries Ya should 
equal y 2 = yi, so we can add the requirement that the diagonal of Y equals y. Second, it 
should be the case that Yij = Yji, so we also add the constraint that Y is symmetric. With 
these constraints, Lemma 12.61 now implies that Y in fact has (1/2 - e) 2 • § > (1/4 - 2e)§ 
fraction non-zero entries. As mentioned above, each corresponding function has four 
non-zero entries giving a total of 



4 ■ (3/8 - 3e) • N 2 = Q - 12e \ ■ N 2 

non-zero entries. 

In summary, this gives that when Opt(^) < 1 — 6, every non-zero vector in S must have 
weight at least 

min ^(1 + 25)rm + N 2 , Q - 12eJ • iV 2 

whereas if ^ is satisfiable the minimum distance is rm + iV 2 (since exactly one entry is 
non-zero for each Sijk and Zij). Choosing e > sufficiently small and 

N 2 



2(1 + 25)m 



we obtain that it is NP-hard to approximate Min Dist(2) to within some factor 8' > 1. 

We have not yet proved that C(^>) has good rate and distance. In Section 15.31 we give 
a proof of this for our reduction for the general case. That proof also works for the binary 
case. 



4 Interlude: Polynomials and Pseudorandomness over ¥ q 

In this section we describe some background material that we need for the generalization 
of the reduction for F2 to any finite field. 

We recall two basic properties about polynomials over finite fields. First, we have the 
well-known fact that every function on F™ can be uniquely represented by a polynomial of 
maximum degree q — 1. 

Fact 4.1. The set of polynomials 

{ X^Xi 2 ■ ■ ■ X% : < ij < q - 1 for all 1 < j < n } 

form a basis for the set of functions from to ¥ q . 

Second, we have the Schwarz-Zippel Lemma. 

Lemma 4.2 (Schwarz-Zippel). Let p £ F 9 [Xi, . . . ,X n ] be a non-zero polynomial of total 
degree at most d. Then p has at most a fraction dq n ~ l zeros. 
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4.1 Linear Approximations to Nonlinear Codes 

In our hardness result for MlN DiST(g), we need explicit constructions of certain codes 
which can be thought of as serving as linear approximations to some nonlinear codes. In 
particular, we need a sequence of linear codes C\,..., C q -\ over with the following two 
properties: 

1- d(C e ) > (1 - e/q) ■ N for 1 < e < q - 1. 

2. If x £ C\ then x e £ C e for 1 < e < q— 1. Here x e denotes a vector that is componen- 
twise e th power of x. 

In other words, C e should contain the nonlinear code {x e } X £d, while still having a reason- 
able amount of distance. In this sense we can think of C e as a linear approximation to a 
nonlinear code. 

To obtain such a sequence of codes, we use pseudorandom generators for low-degree 
polynomials. Such pseudorandom generators were recently constructed by Viola [16] (build- 
ing on [U IS]), who showed that the sum of d PRGs for linear functions fool degree d 
polynomials. Using his result, and PRGs against linear functions of optimal seed length 
logg n + 0(1 + log ? 1/e) (see e.g., Appendix A of [1]), one obtains the following theorem. 

Theorem 4.3. For every prime power q, d > 0, e > there is a constant c := c(q,d,e) 
such that for every n > 0, there is a polynomial time constructible (multi)set R C F™ of size 
\R\ < c ■ n d such that, for any polynomial f : F" — > ¥ q of total degree at most d, it holds 
that 



E 



Pr [/(x) = a] - Pr [/(x) 

x~R x~F™ 



< e. (9) 



Remark 4.4. The constant c of Theorem 14.31 can be taken to be c(q,d,e) = (q/e 



,0{d2 d ) 



Remark 4.5. In order for the hardness result of Theorem 11.11 to apply for codes with 
constant rate, we need the set R of Theorem l4.3l to have size 0(n d ). For this, the parameters 
of Viola's result [16] are necessary, and the earlier result [13] does not suffice. If one does 
not care about this property, any \R\ = poly(n) suffices. 

A simple corollary of the property ([9]) and the Schwarz-Zippel Lemma l4,2l is the following. 

Corollary 4.6. If d = q—\ the (multi)set R C F™ constructed in Theorem has the 
property that for every non-zero polynomial f : F™ — > ¥ q of total degree at most e < q — 1, 

Pr [f(x) ^0]>l-e/q-e. (10) 

Now define, for 1 < e < q—1, C e to be the set of all vectors (f(x)) xe R where / : F^ i->- ¥ q 
is a degree e polynomial with no constant term (i.e., /(0) = 0). Clearly, C e is a linear 
subspace of ¥ q . As observed in Corollary 14.61 the relative distance of C e is essentially 
1 — e/q (as e can be taken to be arbitrarily small relative to q). Moreover, any v € C\ is 
the evaluation vector of a degree one polynomial, and hence v e is the evaluation vector of 
a degree e polynomial, and therefore v e £ C e as desired. 
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5 Reduction to Min Dist(g) for q > 3 

We now describe a general reduction from the Max NAND problem to the Min Dist((7) 
problem for any prime power q. The basic idea is the same as in the F2 case but some 
additional work is needed both in the reduction itself and its analysis. 

Given a Max NAND instance we construct a linear code C(^/) over ¥ q as follows. 
For simplicity we here assume that q > 3 as the binary case was already handled in the 
previous section. As before, let n be the number of variables in the Max NAND instance 
and m the number of constraints. 

Fix some small enough parameter e and let R C ¥ q be the e-pseudorandom set for 
degree q — 1 polynomials ¥ q — > ¥ q given by Theorem [43j Let N = \R\ = C^n 9 " 1 ). 

For < d < q — 1, let Pd C F^ be the linear subspace of all degree d polynomials in 
n variables with coefficients in ¥ q and no constant term, evaluated at points on R. I.e., 
all vectors in are of the form (p(x)) X £R for some polynomial p € ¥ q [Xi, . . . ,X n ] with 
deg(p) < d and p(0) = 0. Note that Pd is a linear code and by Corollary 14. 6( its relative 
distance is at least 1 — d/q — e. 

We define C = P\ and for a 6 F™ we write C(a) £ F^ for the encoding of a under 
C; this corresponds to the evaluations of the linear polynomial Y17=i a i-^i a ^ an points 
(X\, . . . ,X n ) in R. Conversely, for a codeword y € C we write a = C~ 1 {y) G F" for the 
(unique) decoding of y. 

From here on, we will ignore the parameter e > 0; it can be chosen to be sufficiently 
small (independent of q and the inapproximability for Max NAND) and hence the effect 
of this can be made insignificant. 

We now construct a linear code C'(^f) with variables as described in Figured! As in the 
F2 case, the final code C(^f) will consist of the projection of these variables to the Z^s and 
the SijkS, which determine the remaining variables by the constraints that we shall define 
momentarily. 



1. 


For every < e < 2(q - 


- 1) a vector Y e G F^. 


2. 


For every < e, / < q 


- 1 a matrix Y e ^ £ F^ 2 . 


3. 


For every 1 < i, j < N 


2 

a function Zij : ¥ q — >• ¥ q (i.e., a vector in ¥ q ). 


4. 


For every equation 


= 1 + Xi ■ Xj in a function Sijk F| — > ¥ q (i.e., 




a vector in F^). 





Figure 2: Variables of C'(^). 



Before we describe the constraints defining C'(^>) it is instructive to describe the intended 
values of these variables. Loosely speaking, the different Y variables are supposed to be an 
encoding of an assignment a G to the function Sijk is a check that a satisfies the 
equation x^ = 1 + Xi ■ Xj, and the Zij functions check that the Y variables resemble a valid 
encoding of some a. 

Specifically, the variables are supposed to be assigned as described in Figure O 
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1. Y e is supposed to be C(a) e (where we think of F?; as a subset of F™ in 
the obvious way) . 

2. Y e f is supposed to be C(a) e ■ (C(a)f) T (i.e., we should have Y e f(i,j) = 
C(a)?C(a)f 

3. Zij is supposed to be the indicator function of (C(a)j, C(a)j) (i.e., 
Zij(x,y) should be 1 if x = C(a)i and y = C(a)j] and otherwise). 

4. S'jjfc is supposed to be the indicator function of (aj, ctj) (i.e., Sijk(a, b) = 
1 if CKj = a and ay = 6; and otherwise). 

Figure 3: Intent of variables of C'(^). 

We categorize the constraints of C'(^) as being of two different types, namely basic 
constraints that aim to enforce rudimentary checks of Items 1 and 2 of Figure [3l and 
consistency constraints that aim to use the Z^s and Safe's to check that the Y e f matrices 
are consistent with an encoding of a good assignment to As a comparison with the 
reduction for F2 in Section [31 the basic constraints correspond to the horizontal arrows on 
the upper side of Figure [fl and the consistency constraints correspond to the other arrows, 
i.e., Equations ([I!])-®. 

Keeping the interpretation from Figure [3] in mind, the basic constraints that we impose 
are given in Figure HI 



1. 


For < e < q - 1, Y e £ P e . 


2. 


For q < e < 2(q - 1), Y e = ye-(g-l) . 


3. 


For < e,f < q - 1: 




(a) Y e f eP e ®P f . 




(b) The diagonal of Y e f equals Y e+ f . 


4. 


For < e < q — 1, the rows (resp. columns) of Y°' e (resp. Y e >°) are 




identical (and therefore equal to Y e as this is the diagonal). 


5. 


The matrix Y q ~ 1,q ~ l is symmetric^. 


Figure 4: Basic constraints of C'(^f). 



Note that all entries of the matrix Y 0,0 must be equal, and that in the intended assign- 
ment they should equal the constant 1. For notational convenience let us write Yq £¥ q for 
the value of the entries of Y°'° (this variable plays the same role as the variable xo in the 
reduction for F2 in Section [3]) . 

1 In general we could add the constraint that Y e '^ — (Y^' e ) T for every e, /, but it turns out we only need 
it for the case e = / = q — 1. 



12 



We then turn to the consistency constraints of C'($f), which are described in Figure [5j 



1 



For every constraint x k = 1 + Xi ■ Xj of 5 r , four constraints on Sijk- 



Y 



Sijk(a,b) azi 

a,be¥ 2 



a,b& 2 



/l a ■ Sijk(a,b) 



(11) 



b ■ S ijk (a,b) a k 

a,be¥ 2 



a,b& 2 



(1 © a ■ b) ■ S ijk (a, b). 



2 





^2 x e y f Zij(x,y). 



(12) 



x,ye¥ q 



Figure 5: Consistency constraints of C 



(*)• 



The four equations (jlip are the same as Equations (HJ-dH from the F2 reduction, the 
only difference being that they are now constraints over F„. Note that instead of Yq we 
would like to use the constant 1 in the above constraint, but as we are not allowed to do this 
we use Yq, which, as mentioned above, is intended to equal 1. Note also that Y 1 = C(a), and 
thus a is implicitly defined by Y . If one wanted to be precise, one would write C~ 1 (Y 1 )i 
instead of a, in the above equations. 

Note that the function S^f. is an invertible linear transformation of {Yq, oti,aj, a k } and 
hence is non-zero if and only if one of those four variables are non-zero. Similarly, from 
(1121) it follows that is an invertible linear transformation of the set of (i,j)'th entries of 
the q 2 different matrices {^ e ^}o<e,/<g-i (this is an immediate consequence of Fact 14. ip . In 
particular Z{j is non-zero if and only if the (i, j)'th entry of some matrix Y e ^ is non-zero. 

The final code C(^/) contains the projection of these variables to the functions and 
the functions Sijk, with each Sijk repeated r > 1 times. Note that C(^) is a subspace of 

where M = (qN) 2 + Arm. The completeness and soundness are as follows. 

Lemma 5.1 (Completeness). If Opt(fy) = 1 then 

d(C{V)) < N 2 + rm. 

Lemma 5.2 (Soundness). If Opt(^f) < 1 — 5 then 

d(C(*)) > min (N 2 + (1 + 5)rm, (1 + l/q)N 2 ) . 

Lemma 5.3 (C is a Good Code). The dimension of C(^>) is Q,(N 2 ), and the distance is at 
least N 2 . 

Setting r w (i+$) qm > Lemmas I5.1H5.3I give Theorem ll.il (for the case q > 3). 
In the following three subsections we prove the three lemmas. 
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5.1 Proof of Completeness 

We first consider the Completeness Lemma 15.14 which is straightforward to prove. 



Proof of Lemma I5.il Given a satisfying assignment a € to the set of quadratic equa- 
tions, we construct a good codeword by following the intent described in Figure [3j Clearly 
this satisfies all the basic constraints. 

To check the constraints on Zy, recall that it is defined as 

z-(x v) = l 1 if (*>y) = (c(«)*>c(«)i) 

lj{ ,y> \ otherwise. 
This choice of Z„ satisfies its q 2 constraints since for any < e, f < q — 1 

5>V^(x,y) = C(a), e C(a)J = Y e ^, j). 

x,y 

Analogously, for the constraints on SV^ we have 

J 1 if (a,b) = {auoij) 
\M a ^) ~ \ otherwise . 

which is again easily verified to satisfy its four constraints and hence this constitutes a 
codeword. 

The weight of the codeword is iV 2 + rm, since each Zij and each Sijk has exactly one 
non-zero coordinate. □ 



5.2 Proof of Soundness 

In this section we prove the Soundness Lemma l5.2l which is the part that requires the most 
work. Let us first describe the intuition. 

In the analysis, we view codewords where Yq ^ as resembling a valid encoding of some 
a 6Fj and for these we shall argue that small weight corresponds to a good assignment to 

Most of the complication comes from analysing codewords where Yq = 0, which we think 
of as not resembling a valid encoding of some a. For such codewords we argue that there 
must be a lot of weight on the Z^s. To pull off this argument, we look at a non-zero Y e ^ 
that has d = e + f minimal. Then we look at the set of Z^s that are non-zero. The total 
number of such Zy's can be lower bounded using the distance bound on Y e 'f (though this 
bound unfortunately gets worse as d increases). The fact that every Y e ''f with e' + f <d 
is zero gives a set of Q(d 2 ) linear constraints on every such Z^. These constraints induce 

„2 

a linear code over Fq to which each Z^ must belong. We then argue that as d increases, 
the distance of this linear code increases as well, meaning that the non-zero Z^s must 
have an increasingly larger number of non-zero entries. This increased distance balances 
the decrease in the number of non-zero Z^s, allowing us to conclude that no matter the 
value of d, the total number of non-zero entries among all the Z^s is always large. 

Before we proceed with the formal proof of the soundness, let us state two lemmas that 
we use to obtain lower bounds on the distance of Z^. The proofs of these two lemmas can 
be found in Sectional First, we have a lemma for the case when d is small. 
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Lemma 5.4. Suppose f : F q x ¥ q — > ¥ q is a non-zero function satisfying 

J2 x a y b f(x,y) = 

x,y£F q 

for every (a, b) such that < a, b < q — 1 and a + b < d for some < d < q — 1. Then 
f(x, y) / /or at /east d + 1 points in F 2 . 

Second, we have a lemma for the case when d is large. 

Lemma 5.5. Suppose / : F g x F g -> F ? is a non-zero function satisfying 

x a y b f(x,y) = 

x,y& q 

for every (a, b) such that < a, b < q — 1 and a + b < d for some q — 1 < d < 2{q — 1). 
Then f(x, y) ^ for at least q(d + 2 — q) points in ¥ q . 

We are now ready to proceed with the proof of soundness. 

Proof of Lemma HOI Let {-^ij}ije[Ar] and {Sijk}(ij,k)ey be some non-zero codeword of C(^), 
and consider the induced values of the Y variables. 

Let (e, /) be such that Y e ^ is non-zero and e + / is minimal (breaking ties arbitrarily). 
Since the codeword is non-zero it follows that such an (e, /) exists (by invertibility of (jlip 
and (H2D). 

We do a case analysis based on the value of e + /. 

Case 1: e = / = 0. This is the case when Yq ^ 0. In other words, we think of the Y 
variables as resembling a valid encoding of some assignment to so that the soundness of 
^ comes into play. 

If e = / = we have that all Z^s and Sij^s are non-zero and hence the weight is at 
least N 2 + rm. We will show that the soundness condition of ^ implies that a 5 fraction of 
the SijkS must in fact have two non-zero entries, so that the total weight of the codeword 
is at least 

N 2 + (1 + 5)rm. 

To see this, construct an assignment to the quadratic equations instance as follows. Let 
a = C~ 1 (Y) € F™. From the ot{, i £ [n], we define a boolean assignment /3j as follows: 
Pi = if cti = 0, and j3i = 1 otherwise. We claim that every constraint Xk = 1 + X{ ■ Xj 
for which Sijk only has a single non-zero entry is satisfied by /3. Indeed, suppose that 
Sijk(a, b) = c ^ and all other values of S^k are 0. Then the constraints on S^k imply that 

Oj = a ■ c ctj = b ■ c ak = (1 © ab) ■ c. 

which implies that fii = a, f3j = 6, and /3k = l©ao = l©/3j-/3j. By the soundness assumption 
Opt(^) < 1 — S, and hence at least a 5 fraction of the constraints are not satisfied by /3; the 
corresponding S^'s must therefore have at least two non-zero entries. 
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Case 2: < e+f < q—1. Let d = e+f. The minimality of e+f implies that Y a,b = for 
all a + b < d. From Equation (fT2l) . we have that for all a + b < d, J2 X ye¥ q x °"y b Zij{ x iU) = 0- 
Applying Lemma 15.41 each non-zero Z^ has at least d + 1 non-zero entries. Furthermore 
the fraction of non-zero Zi^s is at least 1 — d/q. This is because the distance of the codes 
P e and Pf is at least 1 — e/q and 1 — f/q respectively, and hence the distance of the code 
P e ® Pf is at least (1 — e/q)(l — f/q) > 1 — d/q. Thus at least a 1 — d/q fraction of entries of 
Y e, f are non-zero and by Equation (|12p . the same applies to Z^. Hence the total number 
of non-zero entries over all •) is at least 

iV 2 (l - d/q)(d + 1) > N 2 2{q ~ l) > -N 2 , 

q 3 

where the first inequality follows by noting that for 1 < d < q — 2 the left hand side is 
minimized by d = 1 and d = q — 2, and the second inequality follows from the assumption 
q > 3. 



Case 3: e + / = q — 1. In this case, either of Lemma 15.41 or Lemma 15.51 gives that any 
non-zero Zij has q non-zero entries. 

The fraction of Z^s that are non-zero is at least (1 — e/q)(l — f/q) = 1/q + ef /q 2 . 
Unfortunately, if ef = this bound is not good enough. However, note that if Y® ,q ~ l (or 
yg-i.o^ i s n on-zero then so is Y q ~ 1 (by Figured! item 4) implying that Y q ~ 2,1 is non-zero 
(since by Figure HI item 3(b), it has Y 9-1 as diagonal). Hence we may assume without loss 
of generality that ef > q — 2 so that at least a fraction 1/q + (q — 2)/q 2 = 2(q — l)/q 2 of 
the Zjj's are non-zero. 

Thus we see that the total weight of the codeword is at least 

, 2(q-l) o 2(q-l) 4 , 

N 2 ■ w , ; - q = N 2 ■ '- > -N . 

q 2 q 3 

Case 4: q — I < e + f < 2(q — 1). Let e + f = q — 1 + s for l<8<q — 1. In this case, 
Lemma 15.51 gives that any non-zero Zij has q ■ (e + f + 2 — q) = q(s + 1) non-zero entries. 
The fraction of Z^s that are non-zero is at least (1 — e/q)(l — f/q) = 1 — (e + f)/q + ef jq 2 . 
Furthermore, since < e, f < q — lwe must have that min(e, /) > s so that ef > s(q — 1). 
Hence 

i / i p\ I . , / 2 ^ ! q-l + s s(q - 1) q-s 

1 - (e + f)/q + ef/q >1 + ^ — = — y~ 

q q z q z 

Thus, the total weight of all the Zi^s is lower bounded by 

N 2 - q -^-q(s + l) = N 2 - {q - s){S + 1) >N 2 - 2{q - l) > A -N 2 . 
q l q q 3 

Case 5: e + / = 2(q — 1). The only remaining case is when e = / = q — 1. Now 
Lemma 15.51 gives that any non-zero Z^ has q 2 non-zero entries. On the other hand, 'a 
priori, the distance of Y q ~ 1 ' q ~ 1 is as small as 1/q 2 , which seems problematic. However, we 
still have some leeway: recall that the diagonal of 1 >9 — 1 should equal Y 2 ^ -1 ) = Y q ~ 1 
which also happens to be the diagonal of y? _1 >° (Figure HI items 3(b) and 2). Since Y q ~~ ,0 
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is identically this means that the diagonal of Y q > q 1 has to be zero. By Lemma \2.6\ we 
can then conclude that at least a fraction \ ■ (1 + 1/q) of the Z^s are non-zero. As each 
such Zij has q 2 non-zero entries, we see that the total weight of the codeword is at least 

N 2 -(l + l/q). 

This concludes the proof of Lemma 15.21 □ 
5.3 Proof That The Code Is Good 

In this section we prove Lemma [5.3^ that C(^f) is a good code. After the soundness analysis, 
this becomes relatively easy. To get the bound on the rate of the code, we need the following 
simple lower bound on the rate of a certain restricted tensor product of a code. 

Claim 5.6. Let C C F™ be a linear code and C be the linear subspace of C®C where every 
codeword is restricted to be symmetric. Then dim(C) > dim(C) 2 /2. 

Proof. Let G 6 F" xfc be the generator matrix of C, where k = dim(C). It is easy to check 

2 J 2 

that the generator matrix of C ® C is G ® G S . We think of G ® G as mapping a 

k x k matrix X to an n x n matrix Y = (G (g> G)X where 

^H,12 = ^ ] 9ii,ji9i2,j2-^ji,j2- 
JlJ26[fe] 

It is easily verified that if X is symmetric then so is Y, so the dimension of C is at least the 
dimension of the space of symmetric kx k matrices over F q , which equals > k 2 /2 □ 

We can now prove that C(^f) is a good code. 

Proof of Lemma \5.3[ Let us first consider the distance of C(^f). In Lemma |5.2| it is shown 
that any codeword for which Yq = has at least N 2 (l + 1/q) > N 2 non-zero entries. On 
the other hand, if Yq ^ each Z$j and SV^ must have at least one non-zero entry, for a 
total of iV 2 + rm > N 2 non-zero entries. 

It remains to prove that C(^f) has large dimension, which requires a little more work. 
Let a G Fg and assign every matrix Y e, f except Y q ~ 1,q -~ 1 according to the intent of Figure[3j 

I.e., for (e,/) ± (q - 1, q - 1) we set Y e f(i,j) = C(a) 4 e C7(a)J. 

We shall show that there are still q^ N > ways to choose y^-i.g-i so that the resulting 
set of values satisfy the basic constraints of Figure HI Then, from the invertibility of Equa- 
tions (jlip and ()12p of Figure O it follows that each of these q™ N > ways to choose Y q ~ 1 
extends to a unique codeword of C(^). 

By Claim I5.6[ the space of matrices Y q ~ 1 ' q ~ 1 satisfying Items 3(a) and 5 of Figure U] 
has dimension at least dim(P g _i) 2 /2 > n 2{ - q -^ /2 = Q,(N 2 ) (recall that N = O^- 1 )). The 
only additional constraint on Y q ,q is Item 3(b) of Figure HI that the diagonal has to be 
y2(«-l) _ yi- 1 . However, this can reduce the dimension by at most N, so the remaining 
dimension is still 0(iV 2 ). 

□ 
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6 Combinatorial Lemmas 



In this section we prove the combinatorial lemmas used in the proof of Lemma 15.21 
Lemma 15.41 restated. Suppose / : ¥ q x ¥ q — > ¥ q is a non-zero function satisfying 

J2 x a y b f(x,y) = 

x,ye¥ q 

for every (a, b) such that < a, b < q — 1 and a + b < d for some < d < q — 1. Then 
f(x, y) ^ for at least d + 1 points in F^. 



Proof. Let X = {x : 3yf(x,y) ^ 0} and Y" = 
generality, assume that |X| > \Y\. Define g : F g 



{y : 3xf(x,y) / 0}. Without loss of 
► F, by 



First suppose 5 is non-zero. Then we use the fact that 

x x,y 

for every a < d, which implies that g has to be non-zero in at least d + 1 points. This is 
because in the d x q matrix whose rows are (x a ) x ^f q for < a < d — 1, any (i columns form 
a Vandermonde matrix and hence are linearly independent. We used here the fact that 
d < q — 1. Thus / also has to be non-zero in d + 1 points and we are done. Hence we can 
now assume that g is identically 0. 

Let \X\ = s and |Y| = t. Since g is identically 0, it must hold that for any i£l there 
are at least two different y's such that f(x,y) 7^ 0, implying that / is non-zero for at least 
2s different points. We now show that s + t > d + 2 which implies that s > (since we 
assumed s > t) so that / must be non-zero on at least d + 2 points. 

Consider the Vandermonde matrices 



( 1 



V 1 



x 2 

X s 



1 \ 



.8-1 



A 



( 1 
1 



Y 



1 ) 



yi 

in 



\ 1 vt vl. 



y\~ x 



y\- x ) 



\ 



where x%, . . . , x s are the elements of X and y±, . . . ,yt are the elements of Y. Since Ax and 
Ay are non-singular, so is B := (Ax ® Ay) T ■ The matrix B is an st x st matrix such that 
for any < a < s, < b < t, its (a, 6)'th row is (^i2/^)ie[a]je[t]- 

Since / is not identically zero onlxF and B is non-singular, the dot product of / 
restricted tolxy with some row of B is non-zero, i.e., there exists a row (a, b) such that 



0/ f{x l ,y i )x a i y b j 
,ie[t] 



x a y b f(x,y), 

x,y& q 



where for the second equality we noted that / is zero outside of X x Y. From the hypothesis 
of the Lemma, we must have a + b> d and therefore s + t>a + b + 2>d + 2. □ 
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For the next lemma we first have the following easy claim. 
Claim 6.1. Let < a < q - 2. Then J2xe¥ q x<1 = °- 

Proof. The case a = is trivial. For a > 0, let g be a generator for ¥ q and define h = g a . 
Since 1 < a < q — 2 we have h ^ 1 and by Fermat's little theorem we have h q ~ l = 1. Thus 
we have 

V- 2 h q-l 1 

z£F 9 i=0 i=0 

□ 

Now we prove the second lemma. 
Lemma 15.51 restated. Suppose / : ¥ q x ¥ q — > ¥ q is a non-zero function satisfying 

^ x a y b f(x,y) = (13) 

for every (a, 6) such that < a, b < q — 1 and a + 6 < d for some g — 1 < d < 2(g — 1). Then 
f(x,y) / for at least + 2 — g) points in F^. 

Proof. Let 

5 = {(o,6) : 0<o,6<g-l, o + 6<d} 

T = {(e,^) : < e,^ < g- 1, e + £ < 2(g - 1) - d} 

Note that | | + \T\ = q 2 since the mapping (e, ^) i— > (q — 1 — e, g — 1 — £) forms a bijection 
from T to {0, 1, . . . , q - l} 2 \ S. 



Now, the functions / satisfying (113p for every (a, b) £ S 1 form a linear subspace of F! 



2 



of dimension g 2 — \S\ = \T\. 

We identify the following basis for V: for every (e,£) G T, let g e e(x,y) = x e y l . It is clear 
that the g e /s are linearly independent (since they are a subset of the standard polynomial 
basis for functions ¥ 2 — > ¥ q ; Fact 14. ip and that |{g e ^}| = \T\ = dimV, so we only have to 
check that each g e i indeed lies in V. We have 



%+e b+e 




J2^ a y b 9ei(x,y) = Y,^ 

x,y x,y 

By Claim 16. 1[ we see that this vanishes if either a + e < q — 1 or& + ^< q — 1. But this 
must hold, since otherwise we would have (a + b) + (e + £) > 2(q — 1) contradicting that 
(a, b) e S and (e,^) G T. 

From this we can conclude that any function f : ¥ q — > ¥ q satisfying condition (]13p can 
be written as a polynomial of total degree at most 2{q — 1) — d. By the Schwarz-Zippel 
Lemma 14.21 a non-zero such / can be zero on at most a fraction — ^ d points of ¥ 2 and 
so / has to be non-zero on at least 

.2 (, 2( g 



1--^— ^ 1 = g (d + 2-g) 

points. □ 
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